My name is Nicolas Economou and I’m a specialist member on the Exploit Writing Team here at CORE Labs - specializing in Windows kernel exploitation. Today, I would like to say a few words about a 0-day published a month ago. On Friday, May 17, 2013 Tavis Ormandy released a Windows kernel 0-day in a post sent to full-disclosure "http://seclists.org/fulldisclosure/2013/May/91". This vulnerability exists in the "EPATHOBJ::pprFlattenRec" function located in the "win32k.sys" (part of the Windows kernel ). In the latest “Patch Tuesday” ( http://technet.microsoft.com/en-us/security/bulletin/ms13-jun ) Microsoft released 2 Windows kernel patches: - MS13-048 Vulnerability in Windows Kernel Could Allow Information Disclosure (2839229) - MS13-049 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (2845690) In MS13-048, the "ntkrnlpa.exe" and "ntkrnlos.exe" files were patched, and in MS13-049, the "tcpip.sys" driver was patched. However, "win32k.sys" wasn't patched, so as of today, all Windows operating systems are still vulnerable to this exploit. Exploitation: The bug is produced when the "EPATHOBJ::pprFlattenRec" function doesn't initialize the next list pointer of an allocated structure. Now, the real exploitation happens when the exploit produces a memory kernel exhaustion and the "ExAllocatePoolWithTag" kernel function fails. To produce a fail in the "ExAllocatePoolWithTag" function and the uninitialized pointer be used, the original PoC produces an interesting race condition to trigger the bug. When the uninitialized pointer is used, the kernel control can be taken control of by writing in a arbitrary memory position. As the exploit needs to produce a race condition to trigger the bug, the exploitation is not always reliable, so the idea is to repeat the process many times during the attack in order to exploit the bug.
In the embedded video file, a user is running "Windows 8" with "guest" privileges and installs an Impact agent ( agent0.exe ). After that, from this installed agent the "Microsoft Windows Win32k pprFlattenRec Vulnerability Exploit" exploit is launched from Core Impact. The final result is a new agent that executes a console running with "system" privileges. Some other details about this video: - The new agent (the agent with more privileges ) is injected and executed in the WINLOGON.EXE process, it is then able to open a visible console with "system" privileges. - During the exploitation, sometimes, if a visible application is running the "dwm.exe" process ( Desktop Windows Manager ) dies and the screen gets black. Learn more about penetration testing at http://www.coresecurity.com/penetration-testing-overview